2013-06-03 09:27:08

by Dan Carpenter

[permalink] [raw]
Subject: [patch] cciss: info leak in cciss_ioctl32_passthru()

The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.

Signed-off-by: Dan Carpenter <[email protected]>

diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;

+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,


2013-06-04 10:39:29

by Prasad Pandit

[permalink] [raw]
Subject: Re: [patch] cciss: info leak in cciss_ioctl32_passthru()

Hello Dan,
===
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device
*bdev, fmode_t mode,
int err;
u32 cp;

+ memset(&arg64, 0, sizeof(arg64));
...
===

This exact same patch was included back in 2010 by Mr Vasiliy Kulikov.

-> https://git.kernel.org/linus/7ab5118d7c2be650bc936894f159dc1c597badae

But there is no entry/log of its reversal. Any idea why was it removed?

Thank you.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB C939 D048 7860 3655 602B

2013-06-04 11:18:19

by Dan Carpenter

[permalink] [raw]
Subject: Re: [patch] cciss: info leak in cciss_ioctl32_passthru()

On Tue, Jun 04, 2013 at 04:09:10PM +0530, P J P wrote:
> Hello Dan,
> ===
> diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
> index 6374dc1..34971aa 100644
> --- a/drivers/block/cciss.c
> +++ b/drivers/block/cciss.c
> @@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct
> block_device *bdev, fmode_t mode,
> int err;
> u32 cp;
>
> + memset(&arg64, 0, sizeof(arg64));
> ...
> ===
>
> This exact same patch was included back in 2010 by Mr Vasiliy Kulikov.
>
> -> https://git.kernel.org/linus/7ab5118d7c2be650bc936894f159dc1c597badae
>
> But there is no entry/log of its reversal. Any idea why was it removed?

No no. Vasily patched cciss_ioctl32_big_passthru() and this patch
changes cciss_ioctl32_passthru().

regards,
dan carpenter

2013-06-04 11:48:43

by Prasad Pandit

[permalink] [raw]
Subject: Re: [patch] cciss: info leak in cciss_ioctl32_passthru()

| No no. Vasily patched cciss_ioctl32_big_passthru() and this patch
| changes cciss_ioctl32_passthru().

Oops, yeah, I missed the `big' part!

Thanks.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB C939 D048 7860 3655 602B

2013-09-11 07:39:09

by Dan Carpenter

[permalink] [raw]
Subject: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()

The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.

This was assigned CVE-2013-2147.

Signed-off-by: Dan Carpenter <[email protected]>

diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;

+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,

2013-09-11 18:14:52

by Mike Miller

[permalink] [raw]
Subject: RE: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()



-----Original Message-----
From: Dan Carpenter [mailto:[email protected]]
Sent: Wednesday, September 11, 2013 2:39 AM
To: Miller, Mike (OS Dev); Andrew Morton
Cc: ISS StorageDev; [email protected]; [email protected]; Moritz Muehlenhoff
Subject: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()

The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would cause an information leak as well.

This was assigned CVE-2013-2147.

Signed-off-by: Dan Carpenter <[email protected]>

Acked-by: Mike Miller <[email protected]>

diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;

+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,